What Is Your Favorite Annoying Question?

A funny piece at Slate rants about the “security” questions increasingly asked by financial institutions in a doomed attempt to foil hackers and phishers. It links to this funnier rant by David Weinberger. (I’ve also complained about the privacy concerns related to this before, but that’s not so funny). As Slate sums up the idiocy:

The problem isn’t a failure of imagination on the part of the question-conjurers. It’s the impossibility of coming up with a question that’s easy to answer but hard to guess. After throwing in the caveat that “there is no one perfect question,” the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn’t have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling’s birthday month? I’m guessing it would take a hacker two tries to get to February.

I’ll add two more problems. First, oftentimes more than one person has legitimate access to the account, like a spouse. Are they asking me about my first pet or hers? Second, there is often more than one possible answer. Who is my favorite childhood friend? I seem to recall that data changed weekly, and that many schoolyard fights emerged over the constant churn in “best” friends.

Not that I have a brilliant solution. I guess it’s another possible argument in favor of what those Identity Gang people are up to…

2 Responses to “What Is Your Favorite Annoying Question?”

  1. I’ve been griping about (and trying to avoid) these silly things since they first popped up. Anyone who thinks a “favorite” anything is a valid verification question is seriously underestimating my ability to be fickle. And to steal from John Scalzi—my favorite color? Seriously? What am I, nine or something?

    The problem with these things goes beyond questions with shifting answers or low entropy (really, how many answers to “what’s your favorite color?” are there going to be?). It’s that most of them actually weaken security.

    Example. My online banking password is over eight characters of what should look like gibberish to anyone but me, with uppercase letters, lowercase letters, and punctuation. Fairly secure, right? We’re always told not to use English words for our passwords, and rightly so. Then why build a way to change that password by merely answering a question that (a) will almost always be an English word and (b) gives a big fat hint what that word will be?

    I avoid the security questions whenever possible, and give gibberish as the answer when I can’t. I haven’t been locked out of a system yet because of it, and I haven’t had an account compromised by somoene who was able to guess that my favorite color is blue. Or is it red? I can’t remember.

  2. I’m convinced that these personalized security questions are an attempt at data mining.